Remoting

PowerShell remoting is an important topic, as many customers still think that it is unsecure. The complete opposite is actually the case, as will be explained throughout this topic. Unfortunately, many customers use other remoting capabilities instead, such as:

  • Remote Desktop Protocol (RDP)/MSTSC
  • PSEXEC
  • SMB file share access/SMBv1
  • Remote WMI access over RPC using clear text by default and random ports
  • Remote event log management
  • Remote service management
Further information can be found here: https://blogs.technet.microsoft.com/ashleymcglone/2016/06/29/whos-afraid-of-powershell-security/.

In addition to our complete lack of understanding, there are still many companies out there that don't even enable or configure a firewall correctly on the endpoints, and these are just the basics.

PowerShell Core supports remoting via WMI, WS-Management, and SSH. (RPC is no longer supported.) Remoting with Windows PowerShell will by default use WinRM (Windows Remote Management). 

When you use the -ComputerName parameter with the cmdlets, the Remote Procedure Call (RPC) will be used as its underlying protocol, which has been deprecated with PowerShell Core. Try to prevent this approach in your scripts.

In the default settings, members of the Administrators group are allowed to do remoting, which will be executed over the following ports by default:

  • 5985 (http)
  • 5986 (https)
  • With certificate

Many customers decide to go for https and completely mitigate Man in-the-Middle (MITM) attacks, but the transferred content is encrypted by default. After the initial authentication, an AES-256 symmetric key will be used for every session, which makes the additional work of securing the remoting capabilities with a certificate and the use of https questionable. The default authentication protocol is Kerberos, which should always be preferred. Furthermore, WinrRM will be launched in an additional service under the Network Service account. This spawns isolated processes running as user accounts to host PowerShell instances.

In its default configuration, PowerShell remoting is actually secure by default. But if you want to, you can sharpen the rules with dedicated IP-Filters and define which user groups are allowed to connect to specific servers. Specifically, if you are going up a tier level and the destination servers are jump servers or privileged access workstations (PAW), it is recommended to harden the remoting connections and monitor these. On the monitoring side, you can make use of PowerShell's logging capabilities, which allow a complete overview of the remoting connections and force hackers to leave fingerprints everywhere.

This all concludes to the following fact:

PowerShell Remoting is by default the most secure remoting technology, providing full transparent logs and enabling control over which user and computer groups are allowed to remote to specific machines.

Therefore, PowerShell should actually be the only way to accomplish tasks of higher privileges or move up tier levels.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset